Re: Prevent local mail from going via spamassassin milter

Thu, 07 Jul 2022 10:02:06 -0700 

On 2022-07-07 at 09:26:43 UTC-0400 (Thu, 7 Jul 2022 14:26:43 +0100)
Linkcheck <post...@linkcheck.co.uk>
is rumored to have said:
I have a relatively new installation of postfix with clamav and spamassassin milters. In general it seems to work fine.
The debian server sends a variety of notifications from localhost through postfix to a domain mailbox ad...@example.co.uk. On the way it's filtered by spamassassin, which is pointless. Could someone suggest a way to bypass SA for localhost, please?
That depends on which particular milter you are using to implement SpamAssassin.
For example, in MailMunge or MIMEDefang, you would do this by wrapping the call to spam_assassin_check() in the local filter file in a conditional based on the sender address and/or connecting IP. Consult the documentation for your milter for information on its configuration.
In the event that your milter doesn't have a way to skip filtering for some messages, you should not ever miscategorize internal mail with SpamAssasin if you have properly configured the internal_networks, trusted_networks, and msa_networks parameters correctly. If somehow you are miscategorizing internal mail, you can add local rules to prevent that, and even use the "shortcircuit" feature of SA to minimize the work of doing so. 

Other way to do this:
1. Have your notifications from the local machine use the sendmail program to submit messages locally rather than via SMTP over port 25. This avoids the SA milter because your non_smtpd_milters setting does not include the SA milter.
2. Have your notifications use submission protocol (a restricted subset of SMTP) with authentication or network-based trust (which is safe for localhost) on port 587 rather than SMTP over port 25. This avoids the SA milter because of the "smtpd_milters=$mua_milters" override in master.cf Also:see below 


[...]
mua_recipient_restrictions = permit_mynetworks permit_sasl_authenticated permit 

That is VERY BAD.
Your submission service appears to be an open relay. Change the final 'permit' to 'reject' to fix that. 

[...]


smtpd_sasl_auth_enable = yes
Remove from main.cf. There should never be a need to allow authentication on port 25 if you have a submission service with an override enabling it, as you do. 



--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire

Reply via email to